The news that JD Wetherspoon have deleted their email database of 750,000+ names saying “we won’t be emailing you anymore and we have deleted your details” and “from now on your can contact us and find out about events and news here” pointing to their Facebook page and Twitter profile has received wide coverage.
It is understandable that businesses are taking seriously the General Data Protection Regulation (“GDPR”), which comes into force next May, when fines for non-compliance can be the higher of 4% of worldwide gross turnover or €20m! And Wetherspoons obviously believe that this should assist in their GDPR compliance.
However, whilst Wetherspoons’ decision to in effect “outsource” a part of their data processing online activity with customers relating for example to new beers or wines and what is on the menu, their marketing and data processing activities would typically comprise much more than that.
Also, whilst no doubt Facebook and other social media will be aware of their obligations under the GDPR Wetherspoons will need in place detailed agreements with social media providers regarding their processing of Wetherspoons’ personal data.
Wetherspoons, like every other business, will need to be GDPR – compliant in relation to all of the data processing activities they undertake; for example, payroll bureau services, human resources, web-hosting, cloud providers, communications with their other offices and the sharing of personal data with other “partners”.
Even where a business decides that outsourcing data processing is the “answer” to GDPR compliance, the agreements they will need to have with third party processors will need to be very carefully negotiated and drafted. Any breaches of security or other provisions of GDPR will remain the responsibility of the business controlling the data who will remain liable for fines and penalties under the GDPR.
Businesses need to take action now to get GDPR ready. The clock is ticking – May 25 2018 is just around the corner.